Search the Community

BACKGROUND: In the past I have retrieved an HTTPRequest via the $_GET superglobal, used the data from the superglobal to access a MySQL database, and from the thus retrieved data, generated an array of parameter values that I then assigned to a local array. This local array was then assigned to a $_SESSION variable where it was used for other purposes. This time, I would like to make the routing of data less circuitous. QUESTION: Does the following expression make sense? $_SESSION = $_GET; Roddy

This script shows the fetched data in a modify form. In the old situation I used rec_num wich was corresponding to the record number in the database.table For security reasons I added a uniqid column to the table. So not like under with an input hidden attribute for uniqid. If possible I would like it to be stored in a session variable. This is doable like above, but outside the foreach loop only the last value is stored. How to connect every single uniqid value (for multiple records!) to the separated rec_num without users being able to see the uniqid? $value = $_POST['checkbox_values']; $i=0; foreach ($value as $values) { if (++$i > 10) break ; $element = explode(" / " , $values); $_SESSION['uniqid'] = $element[1]; var_dump($_SESSION['uniqid']); ?> <form action = "" method="post"> <input type ="hidden" name="rec_num[]" value="<?php echo $element[0] ;?>" > <!--<input type ="hidden" name="uniqid[]" value="<?php echo $element[1] ;?>" >--> <input type ="text" name="value1[]" value="<?php echo $element[5] ;?>" > <input type ="text" name="value2[]" value="<?php echo $element[6] ;?>" > <input type ="text" name="value3[]" value="<?php echo $element[7] ;?>" > <input type ="text" name="value3[]" value="<?php echo $element[8] ;?>" > <br> <?php } ?><br> <input type="submit" name="send" value="Modify "> </form>

hi there, I bumped into the use of session_set_cookie_param() and was thinking about how to limit access for undesired users. Besides lifetime, I thought it would be effective to set the domain param. But how effective is this in real? Isn't it also possible to spoof domain names. (as a lot can be crafted ). is there any evidence this can be done and if so how to avoid it? Like cloaking domains or so or is that exaggerating and time consuming?

Hi, I had to use Session cookies for a little web application I'm working on, but I can't find solution to the problem mentioned above. I get the warning: This warning points to line 1. I've tried to create a new .php file, with the following code: <?php session_start(); ?> Only 3 lines of code, using nothing but Windows Notepad and I still get the same warning. I've tried to find solutions but couldn't find any in here, nor in Google. The only explanation I could think of, is a server problem who send headers in each call. It doesn't make any sense though. Someone ever experienced this? Any thoughts of how to fix this? Thanks in advance, Petrucho.

when working with $_SESSION and creating a super global then in the script where I use include and call the variable the entire form is showing up. I have to work with $_SESSION, because $_POST or $_GET wont work in this situation. Is there a way to transfer a form value to another script, and then a single value and not the complete form with everything in it.

Hey all, I have the code which display the result in a box, however i want to alter the code so it stores the result in a php session instead of displaying directly. //Preview$("#newsletter-builder-sidebar-buttons-cbutton").click(function(){ $("#sim-edit-export").fadeIn(500); $("#sim-edit-export .sim-edit-box").slideDown(500); $("#newsletter-preloaded-export").html($("#newsletter-builder-area-center-frame-content").html()); $("#newsletter-preloaded-export .sim-row-delete").remove(); $("#newsletter-preloaded-export .sim-row").removeClass("ui-draggable"); $("#newsletter-preloaded-export .sim-row-edit").removeAttr("data-type"); $("#newsletter-preloaded-export .sim-row-edit").removeClass("sim-row-edit"); preload_export_html = $("#newsletter-preloaded-export").html(); $.ajax({ url: "css/newsletter.css" }).done(function(data) { export_content = '<style>'+data+'</style><link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,300,400,600,700,900,200italic,300italic,400italic,600italic,700italic,900italic" rel="stylesheet" type="text/css"><link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"><div id="sim-wrapper"><div id="sim-wrapper-newsletter">'+preload_export_html+'</div></div>'; $("#sim-edit-export .text").val(export_content); }); $("#newsletter-preloaded-export").html(' '); }); Thanks in advance! funstad

Hey there, i have a Java MVC Web Application that uses the Spring-Library for the Backend and then JSP files for the frontend. Now, in various JSP files i am using Ajax to have some smooth design when needed. This whole application is running on an Apache Tomcat Server. I have to admit that i am still very new in the whole Web-Development thing, so bare with me.Following problem: In the current state, i feel like the tomcat server is automatically handeling the Sesions, including session-timeouts. So, i can specify the time when a session is supposed to count as timed out and everything, the server recognized this correctly and whenever i try to request something with a timedout session the server automatically logs me out and brings me back to the login page. I havent found any implementation of such behavior in the source-code, hence i assume that this is somehow implemented by some standard tomcat routine. The problem with this behavior is, that the server sends a 302 redirect message specifying the login-Page as Location in the response-header. While this works fine for normal requests it is bad for ajax-requests, as these cannot handle 302 codes. The browser catches that one and the ajax-call has no chance to ever process the reply. I am experiencing weird cookie problems and i supsect that this might be the cause of the problem. Now, it shouldnt be hard to check whether or not a request is done by an ajax-call or not. However, i have no clue WHERE i should do so. Edit: I know that there is a way of specifying Filters and there is a way of setting up a listner that gets informed about Session-creations and destructions. However, none of these suit what i want. I need to cut in at a level that allows me to process a request, see if it is an ajax-call and then see if the session used along it is timed out and then i need to be able to decide how i respond to it. Using a filter i am BEHIND that step. I get controll when stuff regarding session timeout has happened already. Using a Session-Lifetime listner i do not have any infromation about the request. I cannot respond to anyone because i have no information about any Requests. How could i go about implementing my custom session-timeout behavior without interfering with the servers implementation?Am i even right assuming that the server automatically handles these cases? It feels kind of odd that the server knows that it has to logg someone out and also knows what to redirect to. Thanks in advance If there are any questions regarding mine ... ask away

i'm trying a user management page and I want to let admins to force other users logout if necessary. but I just managed to do is to set database column from "isLoggedIn = Y" to "isLoggedIn = N" but that doesn't actually logout that user. when a user loges out self, I just use "$user->logout" that includes 'session_destroy' for that user. but if a admin want's to destroy other user's session what would be the process? can please anyone guide!!???

all of my php pages works fine localy on my computer whit session, but wheni upload them to a server they dont work. I search a little and read that my sessions might get lost, i didnt understand what that meant. Can somebody tell me how i can fix that, so that i can upload my pages to a server whitout a session problem? And give examples.

Hi all, I think I have a session problem. When my site is not busy, I can stay logged in for days.But when my site is busy I get logged out within an hour. My server is running PHP 5.2 Here is my start session code... session_register("id");$_SESSION['id'] = $id;session_register('idt');$_SESSION['idt'] = base64_encode("j4p3q9w8s5rq5g3hs34$id");session_register('username');$_SESSION['username'] = $username;session_register('userpass');$_SESSION['userpass'] = $userpass;session_register('useremail');$_SESSION['useremail'] = $useremail; Here is my check session code... session_start();if (!isset($_SESSION['id'])) { header("location:../index.php");exit(); }if (!isset($_SESSION['username'])) { header("location:../index.php");exit(); }if (!isset($_SESSION['userpass'])) { header("location:../index.php");exit(); }if (!isset($_SESSION['useremail'])) { header("location:../index.php");exit(); }if (!isset($_SESSION['idt'])) { header("location:../index.php");exit(); }if (isset($_SESSION['idt'])) {$id = $_SESSION['id'];$idt = $_SESSION['idt'];$username = $_SESSION['username'];$userpass = $_SESSION['userpass'];$useremail = $_SESSION['useremail'];$decryptedID = base64_decode($_SESSION['idt']);$id_array = explode("j4p3q9w8s5rq5g3hs34", $decryptedID);$trueid = $id_array[1];if ($trueid != $id){header("location:../index.php");exit(); }else{$logincheck = "1";}$trueid = mysql_real_escape_string($trueid);$iduserpass = mysql_real_escape_string($iduserpass);$id = mysql_real_escape_string($id);$sql2 = mysql_query("SELECT * FROM mem WHERE id='$trueid' AND password='$userpass' LIMIT 1");$numRows = mysql_num_rows($sql2);if ($numRows = 1) {$logincheck = "1";}else{header("location:../index.php"); exit(); }while($row = mysql_fetch_array($sql2)){ $usernameck = $row["username"];$useremailck = $row["email"];if ($usernameck != $username){header("location:../index.php");exit(); } if ($useremailck != $useremail){header("location:../index.php");exit(); } }} any help?

I'm a little confused about session_id. What is the use of session_id ? Can you give me the practical examples ?

Hi everyone. I'm trying to write a cookie for a site I'm working on the displays a page until it triggers an onclick event. I have a section of the site that pulls up a disclaimer page with 2 options one that says I disagree and shoots you to the home page and one that triggers the cookie which if it's started in your browser will redirect you to the section you need to agree to in order to see. I've been able to get it to work upon visit, but I'm not having any luck with the on click event. I've been tweaking the script I found here --> http://www.javascrip...redirect-2.html I feel like I'm pretty close and have tried many onclick variations the following code I think is close. <a href="after-disclaimer-page.com" onClick="SetCookie('HasVisited')">I AGREE</a> Anyone have any ideas?

CMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two, like if it somehow added additional security. SMF & Drupal makes use of the standard session_start(), and both also use database for session management.(more scalable) phpBB3 also uses the databse for session management, but does not use the standard "session_start()"it uses custom implementation using session_begin() , session_create() , session_kill() , session_gc() I like that Drupal only had the one session cookie, however it takes me much longer to follow the functions and understand what is happening with drupal code.In drupal a lot of things are generated like forms etc, using a single function, this is very clean as it reuses a lot of code, however I would rather learn from something easier to follow.I can always make the code more efficient afterwards. mybb seemed to set more cookies than the rest, and did not make use of the standard session_start(), I am unsure if it uses the db for session management. Right now I think I have it narrowed down to either SMF or PHPBB3, I am kinda leaning toward PHPBB because of a post I found: I read this post: https://www.phpbb.co...49840#p12949840 "Stealing a session id/key is not enough to get logged in. The IP must match to the extent defined in the ACP.Also, the browser user-agent must match (enabled by default). Additionally, you can have it check the x_forwarded_for value." I would think the extra checks like user-agent, IP, x_forwarded_for would help mitigate xss and sesion fixation.phpbb3 key function quotes:"Multiple keys may exist for each user representing different browsers or locations."I am curious if they limited the number of sessions per user, so that a malicious user cant intentionally create Tons of session keys on purpose. SMF may have the same checks, I am unsure. (I do not see IP or x_forwarded_for checks in the 'cookies and Sessions' admin section of smf, but they could be hardcoded.) Any insight or opinions on the subject are appreciated, or if you know of another opensource CMS or Forum that I should take a look at as a good example. at the moment I am leaning towards further studying the phpbb3 implementation and tryint to implement something similar.

Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page <?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt'] < 6) {} else {//Form here}?> Login confirm page <?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) { //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?> Read more about brute-force here http://en.wikipedia.org/wiki/Brute-force_attack Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage) http://en.wikipedia.org/wiki/SQL_injection

Hi, I have one login page where after login i m saving user_id and password in session variables. in some page i am using an api which takes me to the new page. (like in gmail auth api.) I am using session_start in my all the pages at the top. After call back from the api my session is getting destroyed. If i again try to login and do the same process its working fine. As i checked in my firebug. After first login my session cookie is creating. After coming back from api page to my page a new session started as i have written in my page and it makes a new PHPSESSID and invalidates my previous sesssion. Second time repeating the process it doesnt do same. I want to know what i am doing wrong that it makes a new PHPSESSID. Thanks, Rahul

I was wondering how sessions worked and how similar are they to cookies. Is there a set indexes for sessions or do you define your own? How do sessions look like? Are they like cookies, where each cookie is like a file with a bunch of variables? Where are the sessions stored?

Hello W3schools again, a problem has been showed up on my little shop project again, and some people in here might knows it still... anyways... the people that tried to help me, if you are one of them. please read on... else, well... just read ... anyways... i went to my school teacher (one of them) and asked for help, and we did solve it with some big issues he told me and pointed out for me... and that was a big help for the understanding...anyways. i came home... and now the weird part is comming... when im trying to add somfthing to my shop (the cart/session)... then its like it just wont listen, because the fun part is that it (DOES) redirects do shop.php as i told it to do in the function that i call to add the redirect... that... orr its just updating.. but seems like it redirects... anyways... here are the files of my related to the shop: (ATTACHED) and i must say, i dont really knows how to explain this... since it would be impossible to redirect without the function, and that i cannot see either on the URL... :/...so please tell me if you need more information on anything... dont knows what to tell... (NO PAGE ERRORS...) so i cannot really answer anymore questions on this problem unless you are asking me ... Hoping answers soon... Regards: rootKID EDIT: Note that the details page its just a beginning... but thinked that it would be ok to add it just in case you was wonder... lol ...

Hello, I am currently trying to take an html form with array entry, then store these array's into $_SESSION. Please help. The code is listed below. This is the form: <form method="post" action="system/processor/ac36e5fbdefed15a4daf3d7008723c87.php"> <p><table cellpadding=5 cellspacing=5 rules=none width="100%"> <tr> <th>Date</th> <th> </th> <th> </th> <th>Start Time</th> <th>End Time</th> </tr> <?php session_start(); $i = 1; while($i <= "$_SESSION[amt_dates]") { echo("<tr>"); echo("<td><select name=\"month[]\"> <option value=\"01\">January</option> <option value=\"02\">Febuary</option> <option value=\"03\">March</option> <option value=\"04\">April</option> <option value=\"05\">May</option> <option value=\"06\">June</option> <option value=\"07\">July</option> <option value=\"08\">August</option> <option value=\"09\">September</option> <option value=\"10\">October</option> <option value=\"11\">November</option> <option value=\"12\">December</option> </select></td>"); echo("<td><select name=\"day[]\">"); $h=1; while($h <= 31) { echo("<option value=\"$h\">$h</option>"); $h++; } echo("</select></td>"); echo("<td><select name=\"year[]\">"); $e= date(Y) + 10; $u = date(Y); while($u <= $e) { echo("<option value=\"$u\">$u</option>"); $u++; } echo("</select></td>"); echo("<td><select name=\"s_time[]\"> <option value=\"8\">8:00 AM</option> <option value=\"9\">9:00 AM</option> <option value=\"10\">10:00 AM</option> <option value=\"11\">11:00 AM</option> <option value=\"12\">12:00 PM</option> <option value=\"13\">1:00 PM</option> <option value=\"14\">2:00 PM</option> <option value=\"15\">3:00 PM</option> <option value=\"16\">4:00 PM</option> <option value=\"17\">5:00 PM</option> <option value=\"18\">6:00 PM</option> <option value=\"19\">7:00 PM</option> <option value=\"20\">8:00 PM</option> <option value=\"21\">9:00 PM</option></select></td>"); echo("<td><select name=\"e_time[]\"> <option value=\"8\">8:00 AM</option> <option value=\"9\">9:00 AM</option> <option value=\"10\">10:00 AM</option> <option value=\"11\">11:00 AM</option> <option value=\"12\">12:00 PM</option> <option value=\"13\">1:00 PM</option> <option value=\"14\">2:00 PM</option> <option value=\"15\">3:00 PM</option> <option value=\"16\">4:00 PM</option> <option value=\"17\">5:00 PM</option> <option value=\"18\">6:00 PM</option> <option value=\"19\">7:00 PM</option> <option value=\"20\">8:00 PM</option> <option value=\"21\">9:00 PM</option></select></td>"); $i++; } ?> <tr> <td colspan="5"><center><input type="submit" value="Add Dates To Order"></center></td> </tr> </table> </form> ac36e5fbdefed15a4daf3d7008723c87.php: <?phpsession_start();require('sql.php');#$a = "$_SESSION[amt_dates]";#$i = 1;#while($i <= $a){#Month$_SESSION['month'][$i] = "$_POST[month][$i]";$i++;}#$i = 1;#while($i <= $a){#day$_SESSION['day'][$i] = "$_POST[day][$i]";$i++;}#$i = 1;#while($i <= $a){#year$_SESSION['year'][$i] = "$_POST[year][$i]";$i++;}#$i = 1;#while($i <= $a){#s_time$_SESSION['s_time'][$i] = "$_POST[s_time][$i]";$i++;}#$i = 1;#while($i <= $a){#e_time$_SESSION['e_time'][$i] = "$_POST[e_time][$i]";$i++;}##header("location: http://www.pickinpal.zxq.net/review.php");exit;?> review.php: <form method="post" action=""> <p><table cellpadding=5 cellspacing=5 rules=none width="100%"> <tr> <th>Date</th> <th> </th> <th> </th> <th>Start Time</th> <th>End Time</th> </tr> <?php session_start(); # $a = "$_SESSION[amt_dates]"; # $i = 0; # while($i <= $a) { # echo("<tr>"); echo("<td>" . $_SESSION[month]['$i'] . "</td>"); echo("<td>" . $_SESSION[day]['$i'] . "</td>"); echo("<td>" . $_SESSION[year]['$i'] . "</td>"); echo("<td>" . $_SESSION[s_time]['$i'] . "</td>"); echo("<td>" . $_SESSION[e_time]['$i'] . "</td>"); echo("</tr>"); $i++; } # ?> </table></p>